Three Steps To Implement Risk Management Using ServiceNow GRC

Organize categories of risks to normalize risk scores across the organization.

Consistently assess risks using a best practice workflow.

Understand and report on financial and statistical impact of risk to the organization.

We realize that managing and measuring risk to the enterprise can be an overwhelming exercise. INRY has developed a methodology called “Process Area Specific Sprints” or “PASS” by combining best practices from Agile and Prince2. PASS is designed to rapidly deploy and introduce ServiceNow functionality into the organization’s departments with a targeted focus. We accomplish this over a number of iterations, each spanning between 4-6 weeks.

This article describes a six-step process that organizations can adopt to deploy Risk Management in ServiceNow using INRY’s PASS methodology. The approach enables clients to grow their risk management capability in tandem with their Compliance and Audit Management applications. A key benefit to the approach is that the Compliance and Audit Management applications are not dependent on Risk Management being completely deployed.

Step 1: The Beginning – Identify

Before you do anything else, the first step is to identify and document your risk management process and the relationships between the risks in your risk register. From there we map them to your compliance objectives and activities.

At this stage, you should also identify a process for Risk Assessments, and Risk Measurement. ServiceNow provides two ways to measure risks: the Qualitative approach used by many of our clients (Likelihood × Impact) and the Quantitative approach (Inherent and Residual Annual Loss Exposures).

The Quantitative approach requires you to define values for Single Loss Expectancy (SLE) and Annual Rate of Occurrence (ARO) for both inherent and residual risk. Annual loss exposure is the product of SLE and ARO. Most organizations do not have the process to calculate these values with accuracy, so they tend to rely on the Qualitative approach.

Step 2: No Looking Back – Consolidate

The second step is to enable the Risk Management application in ServiceNow. The Risk Management plugin is typically included in your ServiceNow GRC licenses. The focus in this step is to consolidate your risk register and KRIs and combine them into a central repository within ServiceNow. All the information developed in Step 1, including your assessment process and the measurement approach, are consolidated and migrated into ServiceNow.

From here on, you have a minimal viable product where you can start using the tool to manage and maintain your Risks.

Step 3: The Only Way Is Up – Integrate

The key differentiation between ServiceNow GRC and the other tools out there is ServiceNow’s ability to automate risk management. If your risks have been mapped to your controls, you can now leverage ServiceNow’s Indicators.

Indicators are used to collect data to monitor and measure compliance and risks and are also used to collect audit evidence. This enables consistency and real time versus point in time measurement. By adding Indicators to Risk (think of them as Key Risk Indicators) they collect the metrics and allow you to aggregate and integrate results from various assessments.

You can also leverage other data available in ServiceNow (Service Management or Asset Management or Vendor data) to measure and monitor risks.